A hacker just stole your savings. Does the bank have to reimburse you? The answer could well be "no".

This is scary stuff for anyone with more than a few bucks in their bank accounts or a decent credit limit.

The first thing some customers know about fraud on their accounts is a call from the bank, which has picked up unusual transactions - often from the likes of Nigeria or Russia.

Chances are they'll be refunded. Yet banks can and do refuse to reimburse customers who've breached the terms and conditions. That leaves customers at the mercy of their bank's "goodwill" - which they exercise sometimes.


Whenever I read my bank's terms and conditions, however, it leaves me feeling very nervous. In most T&Cs you must:

Safeguard your security details

Yet it's not unusual for parents to send children into a shop with their credit card. Nor is it uncommon to receive calls purporting to be from bank staff, Microsoft, Spark or others aiming to trick you out of those details. Even if you're conned into handing over a Pin or passwords, you've still breached this rule.

Don't let others watch

How many people are 100 per cent sure they're not being watched from behind, or above when using an eftpos terminal or bank ATM, or listened to on the phone?

I'm sure there have been times I didn't notice someone near me.

Choose unique security details

If you're like me, you log into dozens of different websites. Have you used your bank login for anything else? How secure are your passwords and do you update them? Writing down your Pin or storing it electronically breaches T&Cs.

Never leave a banking app open

If you leave your account open and unattended, say goodbye to being reimbursed for theft or fraud that results from your actions. It's too easy to forget to log out after doing some banking, or to step away from your computer.

The banks also require customers to use anti-virus software, firewalls and anti-spyware on the devices they bank on and also to update their operating systems when security updates become available.

The Code of Banking Practice requires banks to have secure systems and will pay out for a direct loss related to a breach of security at their end.


"In short, the code provides that the bank reimburses the customer if s/he is a genuine victim of fraud unless the bank customer has been negligent or breached the terms and conditions of their account in some other way," says Banking Ombudsman Nicola Sladden.

Sladden has dealt with some heart-wrenching cases. The banks are sometimes "quick to say the customer has contributed to the loss".

But these cases are rarely clear cut, she says. She cites one case where the customer's email was hacked over public Wi-Fi at a United States airport.

The criminals then used her email address to contact the bank and request money be wired overseas from accounts that at the time contained $100,000.

The Ombudsman sided with the customer, however, and did not accept the account holders contributed to the fraud by accessing their Gmail using public Wi-Fi.

An interesting lesson from this case is I haven't been that vigilant about deleting emails that contain documents and other information that could be used to impersonate you.

I sometimes send signed permission slips by email. Had I been this customer, the hackers could get hold of my genuine signature to copy. I've also emailed scans of my passport. Ouch.

The Ombudsman's files are littered with examples where relatives, caregivers, and others get their hands on a vulnerable person's Pins and help themselves to money.

There are also numerous cases of lovelorn Kiwis sending money overseas to people they've just met online.

Unless the bank has exacerbated the problem in some way by failing to act on suspicions or letting unauthorised people change security details, for example, the customer is usually out of luck.

In one case heard by the Ombudsman a man was mugged and forced to reveal his Pin. The bank told him it didn't have to pay because he gave away his Pin.

I'm sure most Kiwis would assume they'd be refunded if this happened to them. Wrong.

One thing that made me raise an eyebrow this week was discovering Kiwis have less chance of being reimbursed than Brits or Australians.

If a New Zealand bank customer is "negligent" in relation to a fraud the bank doesn't need to reimburse.

In the UK that bar is "gross negligence" and in Australia it's "extreme carelessness", which means Kiwis have less protection than customers in these other countries.